22076557b0
usbip_host updates device status without holding lock from stub probe, disconnect and rebind code paths. When multiple requests to import a device are received, these unprotected code paths step all over each other and drive fails with NULL-ptr deref and use-after-free errors. The driver uses a table lock to protect the busid array for adding and deleting busids to the table. However, the probe, disconnect and rebind paths get the busid table entry and update the status without holding the busid table lock. Add a new finer grain lock to protect the busid entry. This new lock will be held to search and update the busid entry fields from get_busid_idx(), add_match_busid() and del_match_busid(). match_busid_show() does the same to access the busid entry fields. get_busid_priv() changed to return the pointer to the busid entry holding the busid lock. stub_probe(), stub_disconnect() and stub_device_rebind() call put_busid_priv() to release the busid lock before returning. This changes fixes the unprotected code paths eliminating the race conditions in updating the busid entries. Reported-by: Jakub Jirasek Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| README | ||
| stub_dev.c | ||
| stub_main.c | ||
| stub_rx.c | ||
| stub_tx.c | ||
| stub.h | ||
| usbip_common.c | ||
| usbip_common.h | ||
| usbip_event.c | ||
| vhci_hcd.c | ||
| vhci_rx.c | ||
| vhci_sysfs.c | ||
| vhci_tx.c | ||
| vhci.h | ||
| vudc_dev.c | ||
| vudc_main.c | ||
| vudc_rx.c | ||
| vudc_sysfs.c | ||
| vudc_transfer.c | ||
| vudc_tx.c | ||
| vudc.h | ||
TODO: - more discussion about the protocol - testing - review of the userspace interface - document the protocol Please send patches for this code to Greg Kroah-Hartman <greg@kroah.com>